Re: iptables PPTP tunneling

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 20, 2005 at 09:52:20PM +0300, Wladimir Mutel wrote:
> 	In our private LAN we have Windows server that initiates PPTP
> 	connection with outside VPN server. tcp/1723 traffic is always
> 	masqueraded very well, but when it comes to GRE, the ruleset
> 	often loses outgoing GRE packet (does it translate it or not, I
> 	don't know, but it does not create anything
> 	related/established - when outside server tries to send GRE
> 	packet first, our Linux router responds with ICMP: protocol 47
> 	unreachable). But this behaviour sometimes changes to desirable
> 	one: in some way, GRE connection is established and
> 	translated/masqueraded very well for the rest of time until
> 	Windows reconnect or Linux reboot/ruleset reload.

yes, that is totally conforming to what your ruleset looks like.

if the first packet comes from your internal network, then a nat mapping
is set up, and incoming response packets will  be NATed accordingly.

if the first packet comes from your remote pptp server, then your
ruleset treats it like an incoming connection to a not-opened port and
therefore sends it up the local network stack.  Since no program has
upened a socket for the gre protocol, the NAT machine responds with
protocol unreachable.

If you want to make it work, you have two options

1) to configure a DNAT rule for GRE,
DNAT'ing all incoming GRE packets from the server to your internal PPTP
client.

2) to configure your NAT box to silently DROP incoming GRE packets with
state "NEW".  This way you basically ignore the first packet(s) from
server->client and wait for the client->server packet to set up the
connection.


> 	As I know, you work on PPTP masquerading module for iptables and
> 	kernel 2.6. Could you please inform when it will be possible to
> 	use it with kernel 2.6.12, or how could we masquerade (single)
> 	PPTP connection with current 2.6.12 iptables feature set and get
> 	more predictable behaviour from it than that random one I just
> 	described.

the scheduled date is no later than June 30.  But you don't need a
conntrack/nat helper if you only run one pptp session, just configure
your nat correctly and it will work.

> 
> 	Thank you in advance for your reply.
-- 
- Harald Welte <laforge@xxxxxxxxxxxxx>                 http://netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

Attachment: signature.asc
Description: Digital signature


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux